NIS 2 Directive Compliance Guide 2026: Who's Affected and What You Must Do

The NIS 2 Directive is the most significant cybersecurity regulation ever enacted by the European Union. It dramatically expands the scope of the original NIS Directive from 2016, covering an estimated 160,000+ organizations across the EU — up from roughly 10,000 under NIS 1.

If you operate in the EU or provide services to EU organizations in critical sectors, NIS 2 compliance is not optional. The penalties for non-compliance reach up to €10 million or 2% of global annual turnover, and — for the first time in EU cybersecurity law — senior management can be held personally liable.

This guide explains who's affected, what's required, and how to implement NIS 2 compliance step by step.

What Is the NIS 2 Directive?

The Network and Information Security Directive 2 (Directive (EU) 2022/2555) was adopted in January 2023 and entered into force on January 16, 2023. EU Member States had until October 17, 2024 to transpose it into national law.

NIS 2 replaces the original NIS Directive (2016/1148) with significantly expanded scope, stricter requirements, and stronger enforcement mechanisms. Its purpose is to achieve a high common level of cybersecurity across the European Union.

Key differences from NIS 1:

| Aspect | NIS 1 (2016) | NIS 2 (2022) | |--------|-------------|-------------| | Covered entities | ~10,000 | ~160,000+ | | Sectors | 7 sectors | 18 sectors | | Entity classification | OES + DSP | Essential + Important | | Size threshold | Determined by Member States | Harmonized EU-wide (medium+ enterprises) | | Penalties | Determined by Member States | Harmonized: up to €10M or 2% turnover | | Management liability | None | Personal liability for management | | Supply chain | Minimal focus | Explicit supply chain security requirements | | Incident reporting | 72 hours | 24-hour early warning + 72-hour notification |

Who Must Comply with NIS 2?

NIS 2 classifies organizations into two categories: essential entities and important entities. Both must comply with the same security requirements, but essential entities face more stringent supervision and enforcement.

Size Thresholds

The directive uses a size-cap rule: organizations are in scope if they are classified as medium-sized or larger under EU definitions:

• Medium enterprise: 50+ employees OR €10M+ annual turnover AND €10M+ balance sheet total
• Large enterprise: 250+ employees OR €50M+ annual turnover AND €43M+ balance sheet total

Some entities are in scope regardless of size: qualified trust service providers, DNS service providers, TLD name registries, and sole providers of essential services in a Member State.

Sectors Covered

#### Essential Entities (Annex I — High Criticality)

1. Energy — electricity, oil, gas, hydrogen, district heating/cooling
2. Transport — air, rail, water, road
3. Banking — credit institutions
4. Financial market infrastructures — trading venues, central counterparties
5. Health — healthcare providers, EU reference laboratories, medical device manufacturers, pharmaceutical companies
6. Drinking water — supply and distribution
7. Wastewater — collection, disposal, treatment
8. Digital infrastructure — IXPs, DNS providers, TLD registries, cloud computing providers, data center operators, CDN providers, trust service providers, electronic communications networks/services
9. ICT service management (B2B) — managed service providers, managed security service providers
10. Public administration — central government entities
11. Space — operators of ground-based infrastructure

#### Important Entities (Annex II — Other Critical)

1. Postal and courier services
2. Waste management
3. Manufacturing of chemicals — production and distribution
4. Food — production, processing, distribution
5. Manufacturing — medical devices, computers/electronics, electrical equipment, machinery, motor vehicles, other transport equipment
6. Digital providers — online marketplaces, search engines, social networking platforms
7. Research organizations

Are You In Scope? Decision Tree

1. Does your organization operate in one of the 18 sectors listed above? If no → Not in scope
2. Is your organization a medium enterprise or larger (50+ employees or €10M+ revenue)? If no → Generally not in scope (with exceptions for certain digital infrastructure providers)
3. Do you operate in or provide services within the EU? If no → Generally not in scope (but check: NIS 2 can apply to non-EU entities providing services in the EU)
4. If yes to all → You are in scope. You are an essential entity if you're in an Annex I sector and are a large enterprise, or in specific categories regardless of size. Otherwise, you're an important entity.

The 10 Minimum Security Measures

Article 21 of NIS 2 requires all in-scope entities to implement appropriate and proportionate technical, operational, and organizational measures. The directive specifies 10 minimum categories:

1. Risk Analysis and Information Security Policies

You must establish and maintain a comprehensive information security risk management approach. This includes:

• Formal information security policies approved by management
• Regular risk assessments covering all information systems
• Risk treatment plans with defined acceptance criteria
• Documented risk appetite and tolerance levels

Practical implementation: If you already have ISO 27001 in place, you largely satisfy this requirement. The ISMS framework provides the structure NIS 2 demands.

2. Incident Handling

NIS 2 has specific and strict incident handling requirements:

• Incident detection capabilities (SIEM, SOC, or equivalent)
• Classification procedures to determine significance
• Response procedures with defined roles and escalation paths
• Post-incident analysis and lessons learned

Reporting timeline for significant incidents:

• 24 hours: Early warning to the national CSIRT or competent authority
• 72 hours: Full incident notification with initial assessment of severity and impact
• 1 month: Final report with detailed description, root cause, mitigation measures, and cross-border impact assessment

A "significant incident" is one that causes or is capable of causing severe operational disruption, financial loss, or affects other natural or legal persons by causing considerable damage.

3. Business Continuity and Crisis Management

You must ensure continuity of essential services through:

• Business impact analysis
• Business continuity plans
• Disaster recovery plans
• Backup management (strategy, testing, restoration procedures)
• Crisis management procedures
• Regular testing (tabletop exercises, simulation drills)

4. Supply Chain Security

One of NIS 2's most impactful requirements. You must address:

• Security-related aspects in relationships with direct suppliers and service providers
• Vulnerability-specific assessment of each direct supplier
• Overall quality of products and cybersecurity practices of suppliers
• Contractual security requirements
• Results of coordinated security risk assessments of critical supply chains (as carried out by the Cooperation Group)

This means: You need a formal vendor security assessment program. Every critical supplier must be evaluated for cybersecurity risk, and contractual clauses must enforce security requirements.

5. Security in Network and Information Systems Acquisition, Development, and Maintenance

Security must be integrated into the lifecycle of information systems:

• Secure development practices (SSDLC)
• Security requirements in procurement
• Vulnerability handling and disclosure
• Patch management procedures
• Security testing (code review, SAST/DAST, penetration testing)
• Configuration management and hardening

6. Policies and Procedures to Assess Cybersecurity Risk-Management Effectiveness

You can't just implement measures — you must prove they work:

• Regular security audits (internal and external)
• Security metrics and KPIs
• Compliance monitoring
• Effectiveness testing
• Management review of security program performance

7. Basic Cyber Hygiene Practices and Cybersecurity Training

All staff must receive regular cybersecurity awareness training. Management must receive specific training to assess cybersecurity risks and their impact on operations.

Article 20(2) specifically requires: Members of management bodies shall follow training and shall encourage entities to offer similar training to their employees on a regular basis.

8. Policies and Procedures Regarding the Use of Cryptography and Encryption

You must have documented policies governing:

• When and how to use cryptographic controls
• Encryption standards (algorithms, key lengths)
• Key management procedures
• Encryption in transit and at rest
• Certificate management

9. Human Resources Security, Access Control, and Asset Management

Covering the people and access dimension:

• Pre-employment screening for critical roles
• Security responsibilities in employment contracts
• Access control policies based on least privilege
• Privileged access management
• Identity and authentication management
• Asset inventory and classification
• Offboarding procedures (access revocation)

10. Use of Multi-Factor Authentication, Secured Communication, and Secured Emergency Communication

Specific technical requirements:

• MFA or continuous authentication for critical systems
• Secured voice, video, and text communications
• Secured emergency communication systems that function during incidents

NIS 2 Penalties and Enforcement

For Essential Entities

• Maximum fine: €10,000,000 or 2% of total worldwide annual turnover (whichever is higher)
• Supervision: Proactive — authorities can conduct audits, inspections, and security scans at any time
• Enforcement actions: Binding instructions, implementation deadlines, administrative fines, temporary suspension of certifications or authorizations

For Important Entities

• Maximum fine: €7,000,000 or 1.4% of total worldwide annual turnover (whichever is higher)
• Supervision: Reactive — authorities investigate after evidence of non-compliance
• Enforcement actions: Same as essential entities

Management Liability (Article 20)

For the first time in EU cybersecurity law, management bodies can be held personally liable for infringements. Specifically:

• Management must approve the cybersecurity risk management measures
• Management must oversee their implementation
• Management can be held liable for infringements
• Management must undergo training in cybersecurity

This means your CEO, board members, and C-suite can face personal consequences — including potential bans from managerial functions — if the organization fails to comply.

NIS 2 Compliance: Implementation Roadmap

Phase 1: Scoping and Gap Analysis (Months 1-2)

1. Confirm you're in scope using the sector and size criteria above
2. Determine your classification (essential or important entity)
3. Identify applicable national transposition — each EU Member State may have variations
4. Conduct a gap analysis against the 10 minimum measures
5. Assess your current maturity — if you already have ISO 27001 or SOC 2, you have a significant head start
6. Brief the management body — they need to understand their personal obligations

Phase 2: Risk Assessment and Planning (Months 2-4)

1. Perform a comprehensive risk assessment covering all information systems in scope
2. Assess supply chain risks — catalogue critical suppliers and evaluate their security posture
3. Develop a risk treatment plan addressing identified gaps
4. Define cybersecurity KPIs for ongoing measurement
5. Allocate budget and resources — management must ensure adequate resources

Phase 3: Implementation (Months 4-10)

1. Implement technical controls — MFA, encryption, monitoring, vulnerability management, backup/recovery
2. Establish incident handling capabilities — detection, response, and the 24/72-hour reporting process
3. Develop business continuity plans and conduct initial testing
4. Implement supply chain security program — vendor assessments, contractual clauses, ongoing monitoring
5. Deploy security awareness training for all staff and specific training for management
6. Write and approve policies covering all 10 minimum measure categories
7. Establish secure development practices if you develop software

Phase 4: Validation and Continuous Compliance (Months 10-12+)

1. Conduct internal audits against NIS 2 requirements
2. Test incident response through tabletop exercises and simulations
3. Test business continuity through disaster recovery drills
4. Review and report to management on cybersecurity program effectiveness
5. Register with national authorities if required by your Member State's transposition
6. Establish continuous monitoring — NIS 2 compliance is ongoing, not a one-time exercise

NIS 2 and ISO 27001: The Relationship

ISO 27001 is widely recognized as the most natural framework for achieving NIS 2 compliance. The European Commission has explicitly stated that ISO 27001 certification can demonstrate compliance with many NIS 2 requirements.

Here's how they map:

| NIS 2 Requirement | ISO 27001 Coverage | |---|---| | Risk analysis and security policies | Clauses 6, 8 + multiple Annex A controls ✅ | | Incident handling | A.5.24-A.5.28 ✅ | | Business continuity | A.5.29-A.5.30 ✅ | | Supply chain security | A.5.19-A.5.23 ✅ | | System lifecycle security | A.8.25-A.8.34 ✅ | | Effectiveness assessment | Clause 9 + A.5.35-A.5.36 ✅ | | Cyber hygiene and training | A.6.3 + A.5.10 ✅ | | Cryptography | A.8.24 ✅ | | HR security and access control | A.6.1-A.6.6 + A.5.15-A.5.18 + A.8.2-A.8.5 ✅ | | MFA and secure communications | A.8.5 + A.8.20 ✅ |

The gap: ISO 27001 covers approximately 70-80% of NIS 2 requirements. The main gaps are:

• Specific incident reporting timelines (24h/72h/1 month) — ISO 27001 requires incident management but doesn't prescribe timelines
• Management body liability and training obligations — ISO 27001 requires management commitment but not the specific NIS 2 obligations
• Coordinated vulnerability disclosure — NIS 2 introduces specific requirements around CVD
• National authority registration and reporting — Regulatory compliance obligations beyond ISO 27001's scope

Bottom line: If you have ISO 27001, you're 70-80% of the way to NIS 2 compliance. If you don't, implementing ISO 27001 is the most efficient path to get there.

NIS 2 Implementation by Country

Each EU Member State has transposed (or is transposing) NIS 2 into national law with potential variations. Key examples:

• Germany: NIS2UmsuCG — adds sector-specific requirements for critical infrastructure operators
• France: Transposed via updates to existing ANSSI frameworks
• Netherlands: Cyberbeveiligingswet (Cybersecurity Act)
• Poland: Amendments to the National Cybersecurity System Act (Ustawa o Krajowym Systemie Cyberbezpieczeństwa)
• Belgium: NIS 2 law with CCB (Centre for Cybersecurity Belgium) as the competent authority

Important: Check your specific Member State's transposition for any additional requirements beyond the directive's minimum. Some countries have added sector-specific obligations, lower size thresholds, or additional reporting requirements.

Frequently Asked Questions

Does NIS 2 apply to non-EU companies?

Yes, if they provide services within the EU in covered sectors. Non-EU entities must designate a representative in one of the Member States where they provide services.

What's a "significant incident" that triggers reporting?

An incident that: (a) has caused or is capable of causing severe operational disruption or financial loss for the entity, or (b) has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

Can ISO 27001 certification substitute for NIS 2 compliance?

Not entirely, but it demonstrates compliance with the majority of requirements. Some Member States explicitly recognize ISO 27001 certification as evidence of compliance with NIS 2 security measures.

What if I'm a small company with fewer than 50 employees?

Generally, you're not in scope unless you're a provider of DNS services, TLD registries, cloud computing, data center services, CDNs, managed services, managed security services, or online marketplaces/search engines/social platforms.

When do penalties start?

Enforcement is active in Member States that have completed transposition. If your Member State has transposed NIS 2, penalties can already be imposed.

Getting Started with NIS 2 Compliance

1. Confirm your scoping — sector, size, entity classification
2. Identify your Member State's specific requirements — check the national transposition
3. Assess your current maturity — gap analysis against the 10 minimum measures
4. Get management buy-in — make sure leadership understands their personal liability
5. Choose a compliance framework — ISO 27001 is the fastest path to covering most NIS 2 requirements
6. Deploy a compliance management platform — Meewco provides NIS 2 control mapping (110+ controls), cross-framework alignment with ISO 27001 and GDPR, and automated compliance monitoring

NIS 2 is the EU's most ambitious cybersecurity legislation. Organizations that approach it proactively will not only avoid penalties but build genuine cyber resilience. Those that wait will face enforcement actions, reputational damage, and management liability.

The time to start is now.

---

Need to assess your NIS 2 readiness? Request a demo to see how Meewco maps NIS 2 requirements to your existing controls, identifies gaps, and provides a clear path to compliance across NIS 2, ISO 27001, and GDPR simultaneously.